After four years of debate and a year of uncertainty over the future of data transfers from the European Union (EU) to the United States, this week has seen a historic move towards finalizing new legislation to govern data privacy and protection laws in Europe. On December 15, 2015, negotiators from the Council of the European Union, European Parliament, and European Commission agreed on the text of the long-awaited General Data Protection Regulation (GDPR), the biggest shake up of data privacy laws in 20 years. On December 17, 2015, this text was approved by the European Parliament’s Civil Liberties Committee. The final steps will be a vote in the Parliament as whole in the New Year, followed shortly thereafter, it is hoped, by the text’s formal adoption by the Council of Ministers, the representatives of the 28 countries in the European Union.
Although the GDPR will not come into effect for two years it will certainly inform those urgently trying to find a replacement to the discredited Safe Harbor scheme for the transfer of data to the United States.
European regulators have said they will give the Federal Trade Commission and the European Commission until February 2016 to find a solution before they begin to strictly enforce the European Court of Justice’s decision in Schrems in October of 2015, which made transfers to the United States under Safe Harbor potentially unlawful.
The new GDPR is a “Regulation,” not the usual “Directive,” meaning that it will apply in all 28 countries directly. The 1995 Data Protection Directive (Directive 95/46/EC), which the GDPR replaces, gave direction to member states but left them to implement its provisions through their own legislation, such as the UK’s Data Protection Act 1998. The effect of the GDPR will be felt by all U.S. companies that have employees in Europe or do business in Europe. The GDPR introduces a number of new rules which apply to any controller or processor of EU citizen data, regardless of where the controller or processor is headquartered and regardless of where the data is processed. The new rules are seen as a tightening up of the current regime, and include the following:
- The introduction of a “one-stop shop,” so that multinationals do not have to deal with regulators in each European jurisdiction on the same issue but with just one “lead” authority. However, each member’s regulator will still have authority to enforce any unique requirements under national data protection laws;
- New powers for data protection authorities, including the ability to fine organizations up to 4 percent of their annual revenue and to impose criminal penalties;
- The requirement that some companies appoint a data protection officer, including all public bodies processing data, all companies where data processing is a “core” activity, and all companies where sensitive data is processed on a “large scale,” such as insurers and benefit providers;
- Compulsory notification of a data breach to the appropriate supervisory authority within 72 hours of the discovery of the breach if that breach creates significant risk for the data subject, and to affected individuals as soon as reasonably feasible if the breach is likely to result in a high-risk identity theft or other adverse impact to the individual’s rights and freedoms;
- An age of consent for data processing: Children under the age of 16 will need to obtain parental approval to give consent to the use or collection of their data unless the member state passes a law to lower the age to no lower than 13;
- Companies must show that they obtained consent based on the informed and freely given affirmative action of the data subject, that the consent is in clear and plain language, and that the data subject has the ability to withdraw consent at any time;
- The introduction of special categories of personal data including genetic, biometric, health, racial, criminal convictions and offenses, and political data;
- The requirement that controllers provide any personal data that they hold about a data subject, free of charge and within one month of a data subject’s request;
- In addition to using binding corporate rules and standard contract clauses, companies may now obtain certification from the appropriate supervisory authority that they are in compliance with the GDPR to transfer data to countries that do not otherwise provide adequate protections; and
- A new “right to erasure” (otherwise known as the “right to be forgotten”), whereby controllers are required to delete personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected or if the data collected falls into one of the new sensitive categories—even if the data has already been made public.
European Data Protection Supervisor Giovanni Butarelli said that he believes the GDPR will greatly facilitate new privacy legislation, including new agreements with the United States expected in early 2016. With the clock ticking, we can all hope that he is right as we look forward to the new “Safe Harbor 2.0.”
Ogletree Deakins will keep you up to date on the latest developments in this rapidly-evolving area of international data privacy law by means of the Data Privacy blog, webinars, and seminars. Stay tuned.